Sequretek Advisory - BYOVD Attacks: Abusing Legitimate Drivers to Bypass Security
3/07/2024

An EDR-disabling tool embedded in device drivers continues to be used by threat actors. This is but one of the many attack vectors that leverage compromised system drivers.

BYOVD (Bring Your Own Vulnerable Driver) attacks are becoming a prevalent threat, enabling attackers to gain high-level privileges on compromised systems.

Abusing readily available vulnerable drivers, attackers can bypass security software, escalate privileges, steal data, and disrupt operations.

The availability of numerous vulnerable drivers (over 364 listed on loldrivers.io) and easy-to-use tools like EDR Terminator (advertised for as low as $300 on criminal forums) make these attacks accessible to a wider range of threat actors.

Multiple variants of the tool exist, including open-source versions and those written in different languages (C#, Nim).

BYOVD attacks can compromise security, steal sensitive data, and disrupt critical operations.

Even though the Zemana driver vulnerabilities are known and documented, attackers continue to use them as they are readily available and effective.

Some threat actors are advocating for developing custom-built malicious drivers signed with stolen certificates.

Sign Up Here for Download